Rapid7 Blog

POST STATS:

SHARE

If you are at the RSA Conference this week, you may have seen Microsoft's keynote announcing the new Office 365 Activity Feed API this morning. In case you missed it, Microsoft summarized the announcement in today's blog post. The new Management Activity API is a RESTful API that provides an unprecedented level of visibility into all user and admin transactions within Office 365.

Rapid7 got early access to this technology through Microsoft Technology Adoption Program and is one of the first companies to integrate with Microsoft's new Office 365 Management Activity API. As a result, Rapid7 UserInsight already fully integrates with Microsoft Office 365, enabling incident response professionals to detect and investigate incidents from endpoint to cloud, providing security and transparency for cloud services such as Office 365.

Lateral Movement Extends Beyond the Perimeter and Into the Cloud

Research shows that the use of stolen credentials is still the most common threat action. What's most concerning is that intrusions often go undetected for more than six months because they move laterally across company systems, collecting more and more credentials to gain persistence.

A common misconception is that lateral movement ends with the perimeter. However, with modern enterprise systems extending to cloud services, defenders need to think broader and include cloud services. Once they have compromised the credentials, attackers no longer have to be connected to the corporate network to access documents or email services.

Organizations need to understand user behavior across multiple environments in order to discover and investigate security incidents quickly. The new Microsoft API is a big step forward to arm security professionals with the tools they need to protect their environments and detect malicious behavior as ecosystems expand to the cloud. In enables UserInsight customers to run analytics across their entire ecosystem, within the perimeter and in the cloud.

How UserInsight leverages Microsoft's new Office 365 API

UserInsight builds a baseline understanding of a user's behavior in order to identify changes that would indicate suspicious activity and help security professionals detect an attack. Because UserInsight uniquely collects, correlates and analyzes data across all users and assets, including cloud applications, it can identify suspicious behavior other solutions can't. Examples of potential threats detected within Office 365 include:

Advanced Attacks: UserInsight automatically correlates user activity across network, cloud and mobile environments. UserInsight can detect advanced attacks such as lateral movement from the endpoint to the cloud, including Office365.

Privileged user monitoring: Privileged users are often the ultimate target for intruders. UserInsight monitors Office 365 administrator accounts and alerts the security team of suspicious activity.

Geographically impossible access: The key to protecting the environment is to be able to unify the network, mobile, and cloud environments. For example, a customer would receive an alert if an employee's cell phone synchronizes email via Office 365 from Brazil within an hour of the same user connecting to the corporate VPN from Paris -- clearly one of the connections cannot be legitimate.

Account use after termination: UserInsight detects when a suspended or terminated employee accesses their Office 365 account, helping to stop stolen intellectual property and other business-critical information.

Access to Office 365 from an anonymization service: UserInsight correlates a constantly-updated list of proxy sites and TOR nodes with an organization's Office 365 activity, detecting attackers that are trying to mask their identity and location.

Once suspicious behavior is detected, security teams and incident responders can investigate the users and assets involved in context of various activity from the endpoint to the cloud, now including Microsoft Office 365 activity, and determine the magnitude and impact of the attack. Due to UserInsight's visual investigation capabilities, customers can combine asset and user data on a timeline to rapidly investigate and contain the incident.

Learn more about UserInsight's new capability to detect intruders in Office 365

Want more? Don’t miss these posts

Attackers will always gravitate to the cheapest and most effective way to get into a network. According to the latest Verizon Data Breach Investigations Report, compromised credentials have been the top attacker methodology for two years in a row now. Credentials enable attackers to move…

Administrators and security teams are in for a busy couple days tackling 11 Microsoft security bulletins, 3 Adobe updates and Oracle updates for 43 of their product suites (including Java, Databases and Solaris).Of the 11 Microsoft bulletins, 4 are rated as 'Critical' and affect…

Featured Research

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Toolkit

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Featured Research

Rapid7’s Quarterly Threat Report leverages intelligence from our extensive network—including the Insight platform, managed detection and response engagements, Project Sonar, Heisenberg Cloud, and the Metasploit community—to put today’s shifting threat landscape into perspective. It gives you a clear picture of the threats that you face within your unique industry, and how those threats change throughout the year.